Elucubrations: Service catalog – structuring the big picture for a security operations service

Assume this task: Write a service catalog for IT Security Operations

Assume that IT Security Operations has to write down their services for a large company. I like this task. I believe that writing down the services helps clarify the mission and targets, focus on deliverables asked for and ease collaboration with the related IT and business areas.

In this blog I describe my thoughts about structuring the big picture of the service catalog for IT Security Operations. My thoughts may be useful for similar endeavors.


Four questions that help structure the big picture of our service catalog

  • What is the most logical structure for IT security operations services?
  • Who is the main client and what is his mandate? Who are additional clients and stakeholders?
  • What does the service list look like?
  • What layout/details shall describe the services on the list?

To answer these questions requires talking to the subject matter experts within the IT Security Operations team and around it.


What is the most logical structure for IT security operations services?

The mission of Security Operations is: “We detect, defend and prevent attacks.” They are a “watch dog” for the enterprise IT infrastructure.

  • They detect attacks based on the knowledge about threats and vulnerabilities and based on analyzing logs as well as user/client reports of attacks perceived.
  • They defend attacks that have penetrated into the IT infrastructure. They stop incidents immediately and for major attacks they collaborate with other teams and with management.
  • They prevent attacks in future by feeding back their hands-on experience to security -, risk – or engineering teams and their management.

I like the mission “detect, defend, prevent” to give structure to the services. This is a process oriented view.

An alternative is the attack classification (e.g. by objectives such as privilege gain, denial of service (DDOS) or malware). I  rejected to use attack classification, because it is ambiguous (research has provided multiple  classifications) and rather reflects a client or market view (e.g. selling malware defense services and tools) which is less relevant for an internal service. I prefer the process view.

Conclusion: For our service catalog, structuring the services along the lines “detect, defend and prevent” or along the process is the best option.


Who is the main client and what is his mandate? Who are additional clients and stakeholders?

In the organization that I had in mind, IT security has been assigned to a cross-functional department (owning enterprise IT security). This IT Security Department has “outsourced” IT security operations to the IT department that owns incident and problem management. Hence the IT Security Department is the main client of IT Security Operations. I believe this is an efficient organizational set up for IT Security Operations, as they will  follow  the one incident/problem management process (IPM) that holds for all IT services often following the best practice library ITIL.

In addition to the IT Security Department, IT Security Operations has more clients/stakeholders such as Legal&Compliance, Business Risk Functions and Officers, Fraud Detection, Enduser or Server Operations, Application Development or Enterprise Architecture. The major stakeholders collaborate in a Security Committee.

Indirectly all employees and business clients as well as all departments benefit from IT Security Operations, as they can rely on the “watch dog” detecting, defending and preventing attacks. IT Security Operations is a link in the value chain delivering to the entities that are in more direct contact with the end clients.

Conclusion: The IT Security Department (owning IT security services) is the main client of IT Security Operations (responsible for security incident/problem management)… in the setup that I was confronted with.


What does the service list look like? 

Even if a service list already exists, I propose to change it, in case it does not fit the logical structure “detect, defend and prevent”.  A logical structure eases communication. Also service names have to be as short and concise as possible. To convince the stakeholders of the catalog, I always make a cross tabulation to show where the differences are  (while working the existing list into my proposal). This is a description of the process:

  • “Detect” encompasses (1) operating the security tools (needed for attack detection), (2) security event monitoring (normalizing a variety of logs), (3) running a security and advisory desk, and (4) security incident detection (analyzing the logs, taking into consideration attacks reported to the service desk by internal users and external clients, being aware of vulnerabilities found in vulnerability scans and benefiting from knowledge bases available from sources such as governmental or research authorities).
  • “Defend” is (1) incident response (taking immediate action to stop incidents) and (2) security problem management (initiating/participating in solving major problems).
  • “Prevent” is providing (1) a vulnerability scan service, (2) reporting security incidents (successful and unsuccessful attacks) and (3) consulting about security operations (based on hands-on experience with attacks, e.g. in  Security Committees, to project and system managers or to security architects).

Conclusion: The big picture is clear – mission (detect, defend, prevent attacks; responsibility for security incident and problem handling), main client (IT Security Department or owner of security), and the service list (to be illustrated as a pie chart along the lines “detect, defend, prevent”) . This will be the heart of the service overview chapter.


What layout shall describe the services on the list?

Based on the ITIL best practice and with some minor modifications, I chose this layout to describe the service items on the lists:

  • Service name: Describing the service as shortly and as clearly as possible. Example: “Security incident response” or “Security event monitoring”.
  • Service lifecycle status: Mostly operational.
  • Client/audience: Business or IT facing. Examples: IT Security or Legal&Compliance.
  • Service owner/manager: Responsible person from within IT Security Operations.
  • Service description: Short outline of the service and reason. Example: IT Security relies on measures being taken to stop incidents detected. Or: Legal&Compliance relies on logs available for compliance coverage.
  • Service deliverables: Breaking down the service into individual results. Example: Incident classes in scope such as DDOS, malware, phishing etc. Or: Logs available for compliance.
  • Limitation of the service: What is included. Example: Only handling security relevant incidents.
  • Service dependencies: Prerequisites for the service. Example: IPM process is operational. Or: Raw event logs are available for normalization and further analysis.
  • Cost recovering: Lump sum recovery or cost charging based on prices. Example: IT Security provides the budget, but projects pay for security operations consultancy.
  • Service changing/canceling: How can the service be modified or canceled. Example: IT Security Committee agrees about new incident classes to be included.
  • Service support: Contact points. Example: Dispatching group defined for ticketing process or one mailbox for clients to report observed/suspected attacks.
  • Hours of operation: Example: 7×24 or week days with on call availability.
  • Performance metrics: What are the handles to measure the quality of the deliverable. Example: Resolution time for incidents or false positives. Note that research (e.g. from Forrester or Gartner) is available that supports defining performance metrics for security.
  • Target service level: What service level is to be delivered (ITIL calls this “service level agreement”). Example: 99% of malware attacks stopped within 24 hours hours or no more than 10% false positives


Conclusion: Deliverables matter

I strongly believe that it is indispensable to focus the service catalog on deliverables. The clients/stakeholders want to know, what is in it for them: What matters for them are the results, not the tasks performed that describe “how” results are achieved. Focusing on deliverables leaves room for optimizing or innovating the process at the point where the process knowledge is – in IT Security Operations.



Ohrid in Macedonia – Sveta Sofia and Bogorodiza, Sveti Kaneo – and Renaissance icons

On September 30th 2015 I visited Ohrid. Elena took us through her town. The three main churches that we visited were the cathedral of Sveta Sofia, the church of Sveta Bogorodiza with the adjacent icon museum and the church of Sveti Jovan Kaneo which is said to be the most photographed church. In the churches and in the museum, they sell small booklets with photographs of the icons (Мале туристичке мононрафии ). The booklets are worth buying. I scanned some of the fotos to give an impression of the icons in this blog.


The cathedral Sveta Sofia or Света Софиja

“Sofia”” means “wisdom”. Probably the cathedral Sveta Sofia was already in use in the 10th century – under Zar Samuel from Bulgaria. This is the view from outside.


Sveta Sofia must have been decorated shortly before the shisma of 1054 (Orthodox and Catholic). Before the schisma Archbishop Leon (1037-1056) mediated between the orthodox and the catholic directions of belief by having painted not only the orthodox archpriests, but also the popes of Rome. Below are the popes of Rome.

SvSofia 2

Source: “Света Софиja Охрид”, Мале туристичке мононрафии 47, Загреб 1986

Under the Ottomans, the narthex of the cathedral became a mosque and the choir was separated from the mosque. Hidden away in the choir, the 11th century frescoes have been preserved.

The wise Godmother dominates the choir. She seems to dream of her son: He stands in an oval shaped cloud (the son does not sit on her arm – so he has not yet been born, but is just a thought).

SvSofia 1

Source: “Света Софиja Охрид”, Мале туристичке мононрафии 47, Загреб 1986

Underneath the Godmother are Christ and the 12 apostles at the Last Supper. The scene looks more like the communion service to  me.


The  church Sveta Bogorodica Perivlepta or Света Вогородица

Our next stop is Sveta Bogorodica Perivlepta. In the Ottoman times, the relics of Sv Kliment were kept here, this is why the church is also known under the name of Sv. Kliment.


Sveta Bogorodiza has remained a church in Ottoman times. This is why the frescoes have been preserved here as well. These frescoes from the late 13th century  are called “Renaissance”. Overcoming the rigid rules of traditional Byzantine icon painting, the artists brought life and perspective to the scenes. One example is the mourning of Christ – the lady in the background throws up her hands.

Bogorodiza 2

Source: “Црква Св.  Климент”, Мале туристичке мононрафии 44б Загреб 1988

This early Renaissance movement reminds me of the Brancacci Chapel in Florence that a 100 years later was marked by Masolino’s somewhat rigid fresco about the temptation just across from Massaccio’s vivid representation of the expulsion from the paradise.

The representation of the Last Supper shows Christ twice, first handing out bread and second handing out wine… it is like an “infograph” telling a story.

Bogorodiza 1

Source: “Црква Св.  Климент”, Мале туристичке мононрафии 44б Загреб 1988

In the church we also find frescoes painted in the Ottoman times (starting around 1450) that follow again more traditional Byzantine rules of icon painting.


The Icon Gallery

To round off the overview of the icons, Elena takes me to the icon gallery, just opposite of the Bogorodiza church.

11th century: The icons create distance between humans and saints. The saints look calm and stiff – they are remote holy beings.


Source: “галерия на икони – Орха” (NI Institute for Protection of the Monuments of Culture and Museum)


12th/beginning of 13th century: The figures become more vivid and more realistic like in this annunciation.

Annunciation 12a13th century

Source: “галерия на икони – Орха” (NI Institute for Protection of the Monuments of Culture and Museum)


End of 13th to 15th century (1261-1453): This period is called Renaissance of the Paleologues and takes place during the second Byzantine reign. Pespective appears in the icons and the saints are represented as human beings. The distance between the saints and the spectators diminishes. This is the evangelist Matthew, painted in the 14th century.


Source: “галерия на икони – Орха” (NI Institute for Protection of the Monuments of Culture and Museum)

And this is an annunciation also from the 14th century.



Under Ottoman rule (around 1450 onwards): The saints are again represented in a formal, rigid manner and the icon seems to be “flat”. This is Archangel Michael from the 17th century.


Source: “галерия на икони – Орха” (NI Institute for Protection of the Monuments of Culture and Museum)


Sveti Jovan Kaneo – the most photographed church

We round off our tour of the three preferred churches in Ohrid with Sveti Jovan Kaneo. It is probably the most photographed church, and it is usually shown with the Ohrid lake in the background.


I also liked the view from below – from here the jagged roof of the central dome can be seen more clearly.


“This is my favorite church”, says Elena, “I love the sunset here. ”

Thank you, Elena, for all these insights into Ohrid and the iconography.



Albania – an excursion to Ohrid in Macedonia

Today it is September 30th. Our plan: Leave Korça and travel to Macedonia to visit the Naum monastery and Ohrid. Then return to Pogradec in Albania.


Leaving Kroça – a quick stop at their brewery

After a tasty breakfast with local specialties we leave the cosy guesthouse Bujtina Leon. Ben takes me to the brewery of Birra Korça.


The Korça beer is available all over Albania. In August, they have a beer festival, similar to the Oktoberfest in Munich. Some 100’000 persons participate in the beer garden next to the brewery. Does Munich know about their little brother?


Crossing the border to Macedonia – first stop at St. Naum monastery

This is our first view of the lake Ohrid,  shortly before arriving at Pogradec.


We cross the border and visit the St. Naum monastery…


… with its frescoes.


St, Naum and St. Kliment have brought Christianity to this area – in the 9th century. They were the disciples of Cyrill and Methodius. We will meet St. Kliment in Ohrid.


Ohrid îs a gorgeous town with narrow streets, Turkish style houses and amazing churches – one for each day of the year

Around noon, we arrive in Ohrid. Elena is waiting for us. She is a translator for English, Italian and Spanish and now works as a tour guide. She loves her city and is full of stories. “Ohrid”, she says proudly, “has many, many churches, one for each day of the year.” “Great, and what about the leap year?” I ask. “We will surely find a 366th church”, she answers smiling mildly. It is true, we come across many, many small churches, and we stop extensively at three churches: The cathedral of Sveta Sofia, the church of Sveta Bogorodiza with the adjacent icon museum and the church of Sveti Jovan Kanoa which is said to be the most photographed church. I will talk about these churches in my next blog.

While walking Elena stops after every few steps to point out some details that otherwise would remain unnoticed. We enter the city at the lower gate.


The streets are narrow. The Turkish houses grow in size from bottom to top.


At the bottom, Elena says, space is needed for the traffic in the streets. And higher up, the houses grow in size to efficiently use the space. Sometimes this pattern is even repeated in the lamps.



Roman and Greek remains

While walking through the streets of Ohrid we find these Roman mosaics that have been uncovered. Entry free.


The Greek amphitheatre from the second century BC has a wonderful view of the town and the lake. The theatre was covered in Ottoman times. It has been discovered only recently, Elena says. To excavate it, houses had to be removed. Now the theatre hosts performances. I like the view of the lake and the – mostly – Ottoman houses – no construction sins can be found here (why does the Treschner guidebook complain about the houses hindering the view of the lake? These houses have been here for centuries and before the theatre had been rediscovered…).


At various places in town, Elena says: “Here is the theatre”. But the theatre is not “here”, I think. Then again: “Here you can see the theatre.” What does Elena mean? I ask myself. It takes a long time, until I understand: In many churches and houses, columns and stones from the theatre have been reused. Yes, now I understand, why the theatre is omnipresent in Ohrid.


We are hungry – we have completely forgotten about eating and now it is almost 3 PM

Just across the cathedral Sveta Sofia, we have lunch with regional specialties. To me these Macedonian bites look like mezze. And the fish soup is one of the best fish soups that I have ever eaten – light and with a fresh-sourish taste.


We say good-bye to Elena and exchange business cards. Elena was an excellent and knowledgeable guide.


Driving back to Pogradec

On the way back to Pogradec we come across the stilt houses. Unfortunately the museum closes already at 4PM.


We are about an hour late. We cross the border to Albania and settle in the five star hotel Enkelana. Well – five stars is a bit much for the place. But it is an interesting time travel back to communist times. Old communist style hotels and American top hotels like Hilton have one thing in common: They lack atmosphere, even if they are a safe bet – we know what we can expect. Ben smiles and shows me the tiles on the floor. They look like an irregular mosaic and have been there since communist times. I later hear that this style is called “Terrazo“.


Dinner at the Enkelana: Koran, the endemic trout of the Ohrid lake

Ben has eaten in the Enkelana before and recommends to try Koran fish here. Koran  is the trout endemic to the Ohrid lake. Ben say that in communist times they have eaten the Koran fish on the Yugoslavian side – now it is the turn for the Albanians to eat it. I feel a little bad, as I suspect that this trout is in danger of extinction.


Before the hydropower stations, the eel of the Ohrid lake travelled to the Sargasso Sea in the Carribean and their offspring travelled back to the Ohrid lake. But the dams in the Black Drin have resulted in the eels not to come back to the Ohrid lake any more. I am shocked, how we humans are changing the world. Not only here in the Balkans. We made the same experience in Basel – the salmon came back from the sea, until the dams were built – and they have not yet found their way back using the fish ladders that have recently been installed.