Security Operations Centre (SOC) Expectation Vs Reality
Security Operations Centre (SOC) is becoming a hot topic in the market and everyone expects to fight in the cyber warfare.
Almost every day, we hear or read about a cyber-attack or breach in an organization’s security that causes a huge loss of data and money. Business owners are getting smarter, and they are starting to take strict actions towards cyber attackers. Today, organizations are starting to expand their vulnerability detection capabilities by investing in a Security Operations Center (SOC) that detects flaws in their IT infrastructure, which may lead to cyber attacks. Improving the organization’s IT security posture should be an owner’s main concern.
A Security Operations Center (SOC) is a facility that has an IT security team whose main job is to monitor and constantly analyze organizations' security posture on a daily basis. The security team analyzes the IT systems and detects flaws or threats through a strong set of processes and technology solutions. They are also responsible for identifying and resolving threats of an organization’s information assets. The SOC team works closely with incident response teams in an organization to quickly take actions upon discovery. The SOC team also consists of security analysts and experts who oversee security operations.
You would imagine a scenario in this case a futuristic room filled with lot of monitors and around 2:00 AM one analysts shout outs, "Chief I see an alert on IPS, I think we have been hit by a Trojan on payment services web cluster" Then the head who would preferably in your mind sitting in the middle of the room with a turning big chair shouts out, "Server and IoC Teams, Eyes up, what do you see?" Then the team yells we see a match on IoC with a Bad IP Hit. and the chief says "Ok Boys, get ready, all defense systems online, situation level 4" and the room light turns to red.
Actual SOC may be different from that where as it's a room of engineers taking care of an organisation technology architecture just as all engineers do, with a difference of operating rosters and may be some monitors for easier access to dashboard alerts.
When you have a SOC team in place (smart, technically capable people), with their mandate, their next task is to understand what it is they need to protect and the tools and information they have at their disposal. To understand what they need to protect your team needs a good knowledge of how your business works, and the technical systems that underpin those processes. This might sound like a lot of work, and it can be if you are starting from scratch. You might want to consider bringing some of your organisations technical veterans into the team. Leveraging their existing corporate knowledge (technical and business) will speed the process considerably.
What to look for
For example, most agencies’ cyber security team will already track and respond to excessive failed logins. But a careful and patient adversary, the sort you are relying on your detection capability to find, is not going to conveniently announce their presence by doing the digital equivalent of pounding on the door in the hope that it opens. So it is essential that the team understands which kind of activities that they need to be looking out for. May be a successful login from an administrative account through VPN which was after 6 months?
Arm the team
As your SOC team’s detection capabilities expand, there are many options for improving and refining their capability. Pentesting in particular can provide valuable feedback on the effectiveness of detection and response capability. Some organisations now use rolling ‘Red on Blue’ exercises to help maintain a high level of alertness in their SOC teams. These exercises provide the incentives and input to drive a culture of continuous improvement of detection capabilities.
Should it really by 24x7?
Another area where SOCs are often more expensive than necessary is 24 x 7 staffing. The “Bridge of the Enterprise” metaphor creates an impression that attacks are detected in close to real time, and that taking action straight away can help prevent and minimise the impact of breaches.
IPS and antivirus systems will inform you of attacks they block in real time. However, these events are rarely things that require immediate operator review. Sometimes an event might be concerning (e.g. an AV system deep in your defences is triggered) but usually if the IPS or antivirus system detects it then the threat is entirely dealt with.
It's not always about products and features
The temptation to select your SIEM based on the latest ‘killer’ features will be very strong. But the rate of churn in effective security features is high and today’s SIEM with the ‘killer’ feature can easily be a technical dead end in 3 years. Your normal architectural principles have to apply. Advice from those that have done this before is that a flexible and relatively open product, with an existing pool of skilled people to support it, tends to be more future-proof.
Today, it is important for organizations to ensure that their IT infrastructure is well protected because it holds very valuable information and is an integral part of the company. SOC services provide deep insights into an organizations security posture and recommend the fixes and changes to ensure healthy IT infrastructure. It can be a very expensive affair to lose your data in case of a cyber-attack, but if you have SOC services in place, then it proactively detects incidents and ensures optimum safety.
With experience from Clem Colman from Australian Cyber Security Centre