Monitoring and logging are crucial aspects of cyber assurance strategies that have been around for many years, however, the reality that cyber-attacks and breaches now happen to anyone and everyone is inevitably bringing the need for round the clock ‘situational awareness’ to the fore.
The SOC (Security Operations Centre) provides a centralized hub for organizational logging and monitoring which can either be conducted in-house or outsourced to provide visibility over technical and security issues.
Asking the right questions
Most organizations believe that simply by having a 24x7 SOC in place, they have enhanced security and are better protected against threats and vulnerabilities, yet this can potentially lead to a false sense of security. On the one hand, having dedicated analysts watching the environment continuously has obvious benefits, given cyber-attackers are unlikely to keep regular working hours; on the other hand, is this the overriding factor that will help to detect and react to a breach in the best possible manner?
The reality is that a 24x7 SOC is in itself, not the primary indicator of success. The questions that need to be addressed are ‘how good is the SOC?’ and ‘how can it be measured?’ A SOC needs to be operating at the best of its ability, maturing well and constantly updating with emerging threat intelligence, to include not just the latest threats but also innovative ways of detecting them. An effective SOC should not be a standalone department, it needs full interaction with a comprehensive cyber security assurance program for optimal results.
Cyber security awareness & threat intelligence
The main areas that are often discussed around the capability of a SOC are: technology, people, process and information. Threat intelligence (TI) is another vital component in the context of assurance; in other words, having the confidence that an incident will be detected and effectively dealt with when it arises.
Accurate TI is crucial when detecting threat actors and activity. One of the first challenges faced by any monitoring and logging solution is the sheer amount of logs and data that organizations will need to deal with. Effective TI should help accomplish the following:
Identify threat actors: Knowing the enemy is vital for all organizations. Identifying who potential adversaries are, but also how they operate and how they are likely to strike is invaluable intelligence
Understand the context of risk: A SOC must know what the business’s critical assets are, where they are located and what vulnerabilities there may be in order to effectively monitor them
An effective SOC must use TI to inform, shape and define the service being provided. This should ideally be supported by a red team (made up of penetration testing experts) that is fully integrated with the SOC, as an organization with no experience of attacks is unlikely to have an accurate understanding of the capabilities they need to defend their networks. There are four key considerations for those looking to implement a SOC:
- Information: All SIEM platforms correlate and take in data from log sources. How these are tuned, which ones are used, how effective they are at detecting the type of activity they’re trying to detect are all important. Incorporating information about the environment (key assets, vulnerabilities, threats etc.) is also vital
- People: When addressing personnel within the SOC, it is important to recruit based on experience and certification, but also to assess capability. Although it may be tempting to employ entry-level candidates, an experienced team with a variety of skill sets and experience is ideal. Members of the team should also support the maturity process by helping to develop processes with regards to environmental tuning, and be regularly trained and assessed to support the day-to-day running of the SOC
- Tools/Systems: The SOC tool set should be far more than just a SIEM platform (although this is a key element). The addition of host based agents, network captures, TI products, honeypots and so on, is as significant. How effective and intelligent the SOC toolset is and how effectively it is used will directly impact its utilization. The SOC platform should not be considered a single or standalone SIEM product that will protect organizational security in its entirety. The initiative should be taken to see what other tools can be used in conjunction to generate more intelligent alarms and events
- Processes: When a threat is detected, a set process must be in place with an efficient escalation plan, which must be regularly assessed to ensure maximum efficiency
Before a company decides that a 24x7 service is the key requirement of their SOC, they must bear in mind that there may be some significant hurdles to overcome in order to achieve this. Ultimately, a 24x7 service alone is no guarantee of a higher level of assurance. If a SOC is working to the optimal standards outlined above, there may be little need to for a 24x7 service, as genuine threats would be correctly detected, classified and acted upon.