Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Hey Telco Security Ninjas,
The UK Telecommunications Security Act (TSA) compliance is coming and SecOPs teams will play a more prominent role in ensuring a resilient mobile network and keeping our 5G connections stable. First of all, thank you for your passion for cybersecurity and your hard work. You have a very important purpose and mission for the country's resilience.
With the rollout of UK TSA regulations, numerous departments and business stakeholders involved in digital services will come to rely on the support and service of the SecOps team. The scope of coverage and needed operating model will expand, requiring proactive preparation by the teams involved.
In this post, we will
During the TSA consultation process, tier 1 providers raised concerns regarding additional costs and tight timelines for implementation. Another raised issue was the possibility of an impact on 5G rollouts and beyond.
So what specific requirements does the legislation place on SOC teams? What practices may already be in place at your organization and what adjustments need to be made? Let's do a sanity and hygiene check. But first some good news. SOC teams are most likely to receive attention, funding, and support from management and business stakeholders as non-compliance could result in hefty fines.
The faster and more efficient the validation process for the necessary measures run, the lower the cost and friction for all stakeholders involved. This is great news for Splunk customers and our platform approach. As adaption is simple, and if specific assets are not currently monitored, adding coverage is a seamless process. Moreover, it provides an opportunity to assess the feasibility of standardizing on Splunk Enterprise Security and making progress toward mature Standard Operating Procedures (SOPs) with the support of Splunk SOAR capabilities.
The bad news is that this project requires collaboration with many different teams.
We reviewed the Code of Practice and extracted what we believe are the most crucial measures for you as a SOC team to validate. Please let us know if we missed any measures that are of utmost importance to you!
Regulation 6 establishes the requirement to monitor and analyze access to security-critical functions of the public electronic communications network in order to be able to identify security risks at an early stage and investigate the root cause. Records must be kept secure for at least 13 months.
The Security Code of Practice describes many best practices for network and host-based monitoring as well as effective analyzes and operations within a SOC.
5.19 describes that a "story” must be to be created e.g. a session audit trail. “Monitoring data should link administrative actions to network administrators and onto tickets.” Because the TSA has a strong focus on the risk of third-party administrators of MSPs due to the supply chain hacking activity of the “APT10”, this is a perfect use case to set up monitoring and automate with your SIEM.
It is crucial to implement a procedural level change management process across all of the organization's most critical applications. The most common approach is to use the ticketing systems to document upcoming system maintenance activities and define the 5 W’s: Who, What, When, Where, and Why.
Security monitoring is greatly simplified by correlating change tickets with audit trails and activities. Changes made outside of the designated change windows can be treated as potentially malicious activities or anomalies, while changes made within the specified time window can be treated as “acceptable” or “trustworthy”. Depending on the risk appetite, trusted changes may also be subject to review.
Let’s decode this with an example. Let's assume a change management ticket in ServiceNow contains the following:
Peter performs maintenance work on 24.12.2024 from 11.00-15.00 on ericsson-5g-catalog-manager-lon1 - 5 to do a firmware update.
Peter comes from a third-party MSP. It’s organizationally specified that he uses the telco’s Citrix service as an admin hop client to connect to the telco’s backend infrastructure.
Multiple security correlation searches can now be set up, such as:
Since we are not bothered by a malicious administrator (insider threat) in this scenario, but rather we are concerned that a malicious foreign actor has stolen an administrator's identity, we must contact that administrator within a set timeframe.
This example establishes a minimum set of guard rails for monitoring with a very low false positive rate. Establishing an organizational change process is the foundation that this standardized process avoids reviewing individual security alerts without context and makes follow-up tedious for the SOC team.
Hope you enjoyed this blog where we connected regulation requirements with real-world operations.
Happy Splunking,
Matthias
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.