Missing Link in ENTERPRISE NETWORKING
By: Bilal Aslam | 14 May 2016
Corporations spend millions of dollars on building and executing their security operations. To avoid failures and maximize return on investment (ROI), there are several factors to consider when designing and building a mature security operations center (SOC).
Security operations success starts with knowing the organization's business and technical needs and setting appropriate goals. The following are five key factors that should be considered when implementing a new SOC.
Many SOCs are built without knowledge of what should be monitored in the environment. Before the building itself, you must understand and tackle the business needs and technical requirements. In fact, the time invested in planning the SOC build should be much greater than the time spent in the build process itself.
These requirements (business and technical) can be translated into use cases. A use case can be a business use case - for example, the SOC must detect any financial transaction exceeding a specific number and get alerted. Or it could be a technical use case, such as an anomalous behavior that must be watched for additional information.
Another challenge is to translate these use cases into the rules to be configured on the security information and event management (SIEM) tool. If the events are not parsed correctly or rules are not configured properly, you won't achieve the required results. These correlation rules should be retuned on a periodic basis to eliminate noise or false positives.
Similarly, there should be a periodic check on the integrated log sources not reporting to the SIEM tool. Details on the log sources and network hierarchy, along with any asset vulnerability details, should be fed into the SIEM system to achieve better visibility into the corporate environment.
Another important aspect is to outfit the SOC team with skilled professionals. Their job responsibilities and RACI matrix position should be built on the processes that are already being integrated, such as activity monitoring, triage, incident response, security intelligence, etc.
The staff should be well-trained and have right tools to perform their jobs. Analysts should collect information from threat intelligence and research feeds if available.
Incident response is key to all activities within a security operations center. The response starts with triaging, rating and remediating the root cause of the incident. There are several tickets opened and assigned to individuals who work on any steps of incident response on compromised systems.
A knowledge base can grow based on the incident response history and experiences. All this should be happening in a systematic and recorded fashion.
Day-to-day security operations require a lot of help and support from other departments, including human resources, compliance, IT, legal and more. A steering committee with executives of these departments should be formed and coordinators assigned.
Lobbying with IT and other departments - along with their designated coordinators - is crucial to fostering healthy relations across the business. KPIs and goals can be set, and committee members can receive access to dashboards and reports via the SIEM solution to monitor the parameters set for their goals.
These five concepts may seem simple, but they can mean the difference between a successful security operations build and an ongoing headache.