Security Monitoring (SOC) PDF

Summary

This document provides an overview of Security Operations Centers (SOCs), outlining their definition, functions, and key aspects. It details the technological elements used in a SOC, particularly SIEM tools. It also provides guidance on critical considerations for establishing a successful SOC, including staff, tools, and operational procedures.

Full Transcript

Security Monitoring Definition, Working, Key Transition Phases and Technology behind SOC (Security Operations Center) Security has been a perpetual challenge for the world of computing over the last three decades. There has always been a catching up game between the ‘bad guys’ and ‘the good guys’....

Security Monitoring Definition, Working, Key Transition Phases and Technology behind SOC (Security Operations Center) Security has been a perpetual challenge for the world of computing over the last three decades. There has always been a catching up game between the ‘bad guys’ and ‘the good guys’. While various technologies have evolved over the period of last two to three decades to protect the cyber infrastructure and data from variety of threats, ensuring protection has been more or less an elusive dream. With proliferation of computing capacity and corresponding infrastructure sprawl, security is becoming increasingly complex. Additions of upper mobility and IoT are adding to this complexity. Static measures of security which largely depended on ‘lock and block’ approach cannot assure the protection in today’s complex IT world. Only way to create a level of assurance and gain proper security stance for the organization is to monitor security, and, monitor it 24x7. Security operations centers play a pivot role in this monitoring. They offer infra, operational and competence framework to facilitate 24x7 monitoring of security events and occurrences. SOC Working (Technology and Solution behind a SOC) A security operations center generally uses one or collection of technologies to collect the log and security data, and, aggregate it at a central location. This collection and aggregation of logs at a central location is done, using SIEM tools and technologies. SIEM tools offer event mapping, transformation and triggering using this collected log/events at a central location. SIEM tools also offer variety of alerting mechanisms and search options to identify and raise security events. SOC members (aka SOC Analysts and Monitors) use these SIEM tools within the secure premise of SOC to keep a watch on a 24x7 basis, and, raise an incident if they find an important alert and consider it to be worthy of an action. Identification of security incidents and raising these incidents as a report to customers, so that customer can take proper action, is the primary function of a working SOC. The following figure represents the collection of log from various devices, software, servers, applications, other locations, and its consolidation at a central place by (security information and event management) SIEM technology. An overview of SOC Establishment A Security Operations Center (SOC) is a combination of an organized and highly skilled team whose mission is to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cyber security incidents with the aid of both technology and well-defined processes and procedures. Important Considerations of a SOC SOC working and its effectiveness depends on how well an organization understands its purpose, the critical points of establishing it well, the process needs, reporting formats and most of all its existence in conjunction with other teams/works within organization. Here are some of the key considerations while an organization works on adopting, working and maturing a SOC. > Clearly define the Mission, Responsibility and Scope of the SOC > Take your time to determine the processes, not everything is out of box * Identify and clearly document key templates * Check and validate (or create) procedures & processes required to support SOC > Understand the environment * (most SOCs fail because environmental parameters are not established) * Determine the domain to be monitored * the ‘Use Cases/Alerts’ * Type of data that is received by SOC. > Staff your SOC well * (it needs the right expertise and security people, not ops people) * Identify role and responsibilities well * Define the operational hours * Organize staff for shifts. > Security Tools and Technology Components * (This is the most important aspect, the right tool) * Pick the right SIEM tool for your environment, you may need more than one * Assess all of your need before you settle on a tool * Integrate various security log sources for log collection with SIEM tool * Make sure you don’t leave the log and security data un-collected > Manage the Events * Categorize, Assign and prioritize events received by SOC > Threat Intelligence * Correlating aggregated security logs with latest threats. > KRI (key risk indicator) & KPI (key performance indicator) * Perform and Risk and Performance analysis for SOC by creating Reports * Use Trend Analysis for deeper detection * Create custom dashboards for your organization > Integrate SOC in the Organization * Effectiveness of SOC by collaborating with various teams within the organization * Ensure outcome of SOC is visible across the departments * Ensure IT ops staff understands the working and criticality of SOC > Evangelize the need of proper incident response * Ensure organization understands what an incident is * Encourage people to ask questions on security incidents and how they are handled * Get the response team to talk to IT ops team to percolate the incident details A SOC is as good as these points mentioned above, and, their accommodation into organizations, during adoption of SOC, and also, during efforts to operationalize and mature it. What to expect from a SOC A SOC is used for security monitoring and for improving the chances of identifying the incidents or patterns within the environment and respond to them before any harm or damage is caused. It is a good idea for an organization to clearly state and communicate what is expected from the SOC unit. Here are some key expectation which can be set as primary ones, from a SOC > Real-time Monitoring and Incident Detection > Initial diagnostics and Incident Isolation > Security Systems and Patch management for the core devices > Computing Equipment and Endpoint Devices > Work with Third Party vendors > Escalations to next tier level > Closure of Incidents > Proactive and Persistent Threat Investigation Key Transition Phases A SOC goes through its own course of evolution (in terms of working, its effectiveness and ability to cover all kind of security incidents). And this course is usually mandated by security operations capabilities, team competence, the need of depth in monitoring, need of response and its SLA, and, many more criterion. But, a broad identification of phase structure of evolution of SOC can be identified. Here is a general SOC evolution phase structure, which is usually followed in various SOCs. An understanding of this can make your planning much better. And, it can also give you a proper basis to create focus areas during evolution of SOC. An identification and recognition of these evolution phases can also help you set the right expectations with all stakeholders and participants in SOC works and processes. Cyber security Operation Center (CSOC) factors 1- SOC infrastructure SOC should maintain its own physical space in a secure facility. Creating a distinct location for the SOC, along with the requisite hardware and software, will facilitate shorter response times and promote unity, knowledge-sharing and closer teamwork. 2- Security Organization / People A SOC requires talented resources who possess deep technical knowledge, and also a broad range of capabilities and diversity of experiences. SOC staff should be able to efficiently analyze large volumes of data, intuitively recognizing the need for further investigation. An effective SOC should strike the right balance between security professionals and internal IT transfers who can bring a solid understanding of the company’s IT environment and the core business functions the infrastructure supports. 3- SOC Process/ Strategy Well-defined processes enable consistent operations and repeatable outcomes. The SOC needs to document and communicate processes effectively and implement change management mechanisms to quickly update processes when improvement opportunities arise. 4- SOC Technology A SOC must be equipped with a suite of technology products that provide the right visibility into the environment commensurate with the organization’s security posture. Some of the required tools may include intrusion detection and prevention technology; SIEM solutions; threat and vulnerability management tools; filtering technologies; data loss.; prevention tools; traffic/packet inspection solutions; data analytics platforms; and reporting technologies. In addition, depending on the scope of the responsibilities, the SOC may also have access to other business systems such as enterprise forensic tools in support of incident response investigation efforts.

Use Quizgecko on...
Browser
Browser