Security Monitoring (SOC).pdf

Full Transcript

Security Monitoring
Definition, Working, Key Transition Phases and Technology behind SOC (Security
Operations Center)

Security has been a perpetual challenge for the world of computing over the last three
decades. There has always been a catching up game between the ‘bad guys’ and ‘the
good guys’. While various technologies have evolved over the period of last two to three
decades to protect the cyber infrastructure and data from variety of threats, ensuring
protection has been more or less an elusive dream.

With proliferation of computing capacity and corresponding infrastructure sprawl,
security is becoming increasingly complex. Additions of upper mobility and IoT are adding
to this complexity. Static measures of security which largely depended on ‘lock and block’
approach cannot assure the protection in today’s complex IT world.

Only way to create a level of assurance and gain proper security stance for the
organization is to monitor security, and, monitor it 24x7. Security operations centers play
a pivot role in this monitoring. They offer infra, operational and competence framework
to facilitate 24x7 monitoring of security events and occurrences.

SOC Working (Technology and Solution behind a SOC)

A security operations center generally uses one or collection of technologies to collect
the log and security data, and, aggregate it at a central location. This collection and
aggregation of logs at a central location is done, using SIEM tools and technologies.

SIEM tools offer event mapping, transformation and triggering using this collected
log/events at a central location. SIEM tools also offer variety of alerting mechanisms and
search options to identify and raise security events.

SOC members (aka SOC Analysts and Monitors) use these SIEM tools within the secure
premise of SOC to keep a watch on a 24x7 basis, and, raise an incident if they find an
important alert and consider it to be worthy of an action.

Identification of security incidents and raising these incidents as a report to customers, so
that customer can take proper action, is the primary function of a working SOC.

The following figure represents the collection of log from various devices, software,
servers, applications, other locations, and its consolidation at a central place by (security
information and event management) SIEM technology.
An overview of SOC Establishment
A Security Operations Center (SOC) is a combination of an organized and highly skilled
team whose mission is to continuously monitor and improve an
organization’s security posture while preventing, detecting, analyzing, and responding to
cyber security incidents with the aid of both technology and well-defined processes and
procedures.

Important Considerations of a SOC

SOC working and its effectiveness depends on how well an organization understands its
purpose, the critical points of establishing it well, the process needs, reporting formats
and most of all its existence in conjunction with other teams/works within organization.
Here are some of the key considerations while an organization works on adopting,
working and maturing a SOC.

> Clearly define the Mission, Responsibility and Scope of the SOC

> Take your time to determine the processes, not everything is out of box

* Identify and clearly document key templates

* Check and validate (or create) procedures & processes required to support SOC

> Understand the environment

* (most SOCs fail because environmental parameters are not established)

* Determine the domain to be monitored

* the ‘Use Cases/Alerts’

* Type of data that is received by SOC.

> Staff your SOC well

* (it needs the right expertise and security people, not ops people)

* Identify role and responsibilities well

* Define the operational hours

* Organize staff for shifts.

> Security Tools and Technology Components

* (This is the most important aspect, the right tool)

* Pick the right SIEM tool for your environment, you may need more than one

* Assess all of your need before you settle on a tool

* Integrate various security log sources for log collection with SIEM tool

* Make sure you don’t leave the log and security data un-collected

> Manage the Events
* Categorize, Assign and prioritize events received by SOC

> Threat Intelligence

* Correlating aggregated security logs with latest threats.

> KRI (key risk indicator) & KPI (key performance indicator)

* Perform and Risk and Performance analysis for SOC by creating Reports

* Use Trend Analysis for deeper detection

* Create custom dashboards for your organization

> Integrate SOC in the Organization

* Effectiveness of SOC by collaborating with various teams within the organization

* Ensure outcome of SOC is visible across the departments

* Ensure IT ops staff understands the working and criticality of SOC

> Evangelize the need of proper incident response

* Ensure organization understands what an incident is

* Encourage people to ask questions on security incidents and how they are handled

* Get the response team to talk to IT ops team to percolate the incident details

A SOC is as good as these points mentioned above, and, their accommodation into
organizations, during adoption of SOC, and also, during efforts to operationalize and
mature it.

What to expect from a SOC

A SOC is used for security monitoring and for improving the chances of identifying the
incidents or patterns within the environment and respond to them before any harm or
damage is caused. It is a good idea for an organization to clearly state and communicate
what is expected from the SOC unit.

Here are some key expectation which can be set as primary ones, from a SOC

> Real-time Monitoring and Incident Detection
> Initial diagnostics and Incident Isolation

> Security Systems and Patch management for the core devices

> Computing Equipment and Endpoint Devices

> Work with Third Party vendors

> Escalations to next tier level

> Closure of Incidents

> Proactive and Persistent Threat Investigation

Key Transition Phases

A SOC goes through its own course of evolution (in terms of working, its effectiveness
and ability to cover all kind of security incidents). And this course is usually mandated by
security operations capabilities, team competence, the need of depth in monitoring, need
of response and its SLA, and, many more criterion. But, a broad identification of phase
structure of evolution of SOC can be identified. Here is a general SOC evolution phase
structure, which is usually followed in various SOCs.

An understanding of this can make your planning much better. And, it can also give you
a proper basis to create focus areas during evolution of SOC. An identification and
recognition of these evolution phases can also help you set the right expectations with all
stakeholders and participants in SOC works and processes.
Cyber security Operation Center (CSOC) factors

1- SOC infrastructure
SOC should maintain its own physical space in a secure facility. Creating a distinct location
for the SOC, along with the requisite hardware and software, will facilitate shorter response
times and promote unity, knowledge-sharing and closer teamwork.

2- Security Organization / People
A SOC requires talented resources who possess deep technical knowledge, and also a
broad range of capabilities and diversity of experiences. SOC staff should be able to
 efficiently analyze large volumes of data, intuitively recognizing the need for further
investigation. An effective SOC should strike the right balance between security
professionals and internal IT transfers who can bring a solid understanding of the
company’s IT environment and the core business functions the infrastructure supports.
3- SOC Process/ Strategy
Well-defined processes enable consistent operations and repeatable outcomes. The SOC
needs to document and communicate processes effectively and implement change
management mechanisms to quickly update processes when improvement opportunities
arise.
4- SOC Technology
A SOC must be equipped with a suite of technology products that provide the right
visibility into the environment commensurate with the organization’s security posture.
Some of the required tools may include intrusion detection and prevention technology;
SIEM solutions; threat and vulnerability management tools; filtering technologies; data
loss.; prevention tools; traffic/packet inspection solutions; data analytics platforms; and
reporting technologies. In addition, depending on the scope of the responsibilities, the
SOC may also have access to other business systems such as enterprise forensic tools in
support of incident response investigation efforts.