With attacks happening on a seemingly regular basis, many organizations are refocusing their security efforts from...
prevention to timely detection. When talking about detection, two key components come to mind: reducing the "dwell time" for adversaries and controlling their lateral movement.
Reducing dwell time concentrates on timely detection and controlling how long the adversary is within an environment before it is detected. Because today's adversaries are stealthy, targeted and data-focused, many organizations are compromised for more than 10 months before the breach is detected, which typically results in significant damage. For an adversary to go undetected this long is unacceptable.
Lateral movement is centered on how quickly an adversary can move within an organization and the amount of damage that is caused by these movements. Often an adversary will target a client system and use that system to break into other systems, spreading quickly throughout an environment. Proper network design involving highly segmented networks can assist in controlling the damage.
Timely detection and controlling damage require gaining greater visibility into an environment with continuous monitoring capabilities. This manifests itself in the form of a security operations center, or a SOC. While many organizations are setting up a security operations center, they don't always know what it should do or how to get started. At its most basic level, a security operations center is dedicated to correlating and analyzing data related to what is occurring within an organization with special attention on timely detection. To help ease navigation of the battlefield of security operations centers, here are the initial areas to focus efforts.
Consolidation and authority
All data and information feeds need to be consolidated onto a single dashboard. It is okay to have a follow-the-sun model for a SOC, but each location must have a single dashboard to perform the analysis. If different entities each have a different piece of the puzzle, coordination becomes difficult, which ultimately leads to longer lead time to catch a compromise. The SOC must also have the proper authority to take action when a problem is detected. If the SOC can detect a compromise in a timely manner but it takes a long time to get approval to take action, the amount of damage increases exponentially.
Metrics and value
It could take years for a SOC to fully evolve and get to a proper operating state. The trick is to have clear metrics that correlate directly to adverse activity. It is better to have a just a few clear metrics being tracked and reported than having the team spread too thin. Clear focus is critical to not only show the value to management, but also make a measurable difference in security.
Technology and staff
Security solutions are composed of both technology and people. Organizations will often give security a big budget to purchase a lot of equipment, but will not give it the people it needs to implement the solution. Any budget item should include both the dollars and staff that are needed to implement the solution. Many organizations have a room filled with expensive equipment, but no staff to properly run the operations center. A security information and event management piece of software does not magically detect attacks unless it is properly configured. Without proper staffing, all of the money in the world will not create an effective SOC.
Often when organizations setup a SOC, they turn on full logging for every device on the network and suffer information overload. It's better to have small amounts of the right information (such as failed login attempts) than large amounts of useless information. Many SOCs waste a lot of time analyzing noise, and it takes a long time to get to the valuable information. It is better to apply proper filtering so analysts have just the information they need when they need it.
In summary, when setting up, deploying and running security operations centers, it's important to have specific goals that need to be accomplished. The following is a SOC checklist that can be used to align an organization's efforts:
- Clearly define the objectives and what constitutes success
- Plan "long term," execute "short term"
- Determine metrics to identify what is working and what is not
- Learn, configure and become one with your tools
- Utilize experts/outsourcing to increase effectiveness
- Determine storage capabilities and critical data sources
About the author:
Eric Cole, Ph.D., is an industry-recognized security expert with more than 25 years of hands-on experience. He is the founder of and an executive leader at Secure Anchor Consulting, where he provides leading-edge cybersecurity consulting services and expert-witness work, and leads research and development initiatives to advance state-of-the-art information systems security. He was the lone inductee into the Infosecurity Europe Hall of Fame in 2014. He is actively involved with the SANS Technology Institute and is a SANS faculty senior fellow and course author who works with students, teaches, and develops and maintains courseware.
Find out how to integrate SIEM systems with incident response
Learn how enterprises can monitor and protect audit logs
How the work of SOCs benefit the enterprise