Information security has become a requirement that can no longer be ignored or postponed by businesses around the world. An integral part of securing information is constantly monitoring the traffic and activities on the network. This requires having the pool of properly trained staff and the right tools to do so. The team and facility that handles this task is called the Security Operations Center.
In the words of alien vault, ‘SOC teams are responsible for monitoring, detecting, containing, and remediating IT threats across critical applications, devices, and systems, in their public and private cloud environments as well as physical locations. Using a variety of technologies and processes, SOC teams rely on the latest threat intelligence to determine whether an active threat is occurring, the scope of the impact, as well as the appropriate remediation.’
This means containing and mitigating threats are as well part of SOC as much as monitoring and detecting. For this a skilled team is needed along with the best of tools in order to run SOC properly. We shall look into the steps that can help us achieve in doing so.
1. Setting up the team of SOC
The first step, like setting up most departments is to form a team of people who can handle the responsibilities. In case of SOC, the team consists of 4 to 5 people in a medium sized company which can be divided into 3 layers. The first layer is the analyst with an eye for detail and strong observational skills. A certified incident handler or similar is a good choice. The second layer is a more experienced manager who is an expert of the field. The third layer is the head of SOC with strong leadership and communication skills along with a vision for future.
2. Define the SOPs
The next thing is to define the standard and procedures that the team is expected to follow in order to achieve the objective of SOC. For each event or area there should be a guideline which the security analyst is expected to follow. The parts this SOP should cover are as follows:
– Event Classification and Triage: Need to define which events are important and are the ‘signal in the noise’
– Prioritization and Analysis: Need to identify which alerts or events are to be looked on priority. This may change according to the asset at stake or duration of the threat. So identifying the assets in the order of importance is a pre requisite of this step.
– Remediation and Recovery: Need to define the steps to be followed in case of an incident. Should include the personal that need to be contacted for keeping the impact minimum such as a professional incident handler.
– Assessment and Audit: Running network vulnerability scans and generating compliance reports are some of the most common audit activities for SOC team members. Additionally, SOC team members may also review their SOC processes with audit teams (internal and external) to verify policy compliance as well as determine how to improve SOC team performance and efficiency.
3. Setting up security tools
The next step is to setup tools that will fetch and record all the raw data from the network. This means setting up tools to record events in logs such as login logoff events, outbound data transfers, traffic allowed and denied by firewalls etc. Some of the tools that should be included in the list are as follows:
– SIEM: Security Information and Event Management is a must have tool for SOC. They were developed on the assumption that by looking for certain patterns of activity and sequences of events; you can detect an attack as well as validate and demonstrate regulatory compliance. SIEM tools provide a core foundation for building a SOC because of their ability to apply dynamic correlation rules against a mountain of disparate and varied event log data to find the latest threats.
– IDS: Intrusion Detection Systems is another integral part expected to be used in SOC. A set of rules are defined in a tool such as SNORT which raise alerts according to the conditions defined.
– IPS: Intrusion Prevention Systems: These are the firewalls, DMZs or honeypots that exist with the sole purpose of stopping an attack before it happens.
– Behavioral Monitoring: Creating a baseline of system and network behavior provides the essential foundation with which to spot anomalies—which often signal the presence of cyber adversaries on your environment.
Apart from these, any tool which is industry standard and assists the function of SOC should be included such as a vulnerability scanner to identify weaknesses beforehand.
In short, constantly up gradation both in terms of tools and staffing is the strength of a successfully running SOC and keeping the company’s assets safe.
waqar ahmed 