The first strategy: consolidate functions of CND (Computer Network Defense) under one organization. As discussed in Section 2.8, SOCs must be able to respond to the actions of the adversary. As a result, elements of CND must be tightly coupled.
Five elements of unified CND command structure:
- Real-time monitoring and triage (Tier 1)
- Incident analysis, coordination, and response (Tier 2 and above)
- Cyber intel collection and analysis
- Sensor tuning and management and SOC infrastructure O&M
- SOC tool engineering and deployment.
- Operations of CND are synchronized
- Detection and response are efficient, accurate, relevant.
- Resources maximized.
- Cyber SA (Situational Awareness) and incident data, operations and tools in a closed loop.
- Consolidated, unified SA is provided to the director of incident response and management.
Do not break apart the five atomic SOC functions into separate organizations; this is bad for the CND mission.