Requirements of a good Security Operations Centre

I have recently been thinking about and reading up on how to improve Security Operations Centres (SOC) to meet the constantly evolving environment and threat landscape in which we operate.  There are obviously many tools that are required from Network Monitoring to IPS (Intrusion Prevention System) to Log Collection and Correlation systems to Auditing and File Integrity Monitoring.

This post will however briefly cover the ‘soft’ side of the SOC and three key skills / processes that there seems to be agreement are required for a SOC to be effective and forward looking.

The first of these is understanding the business and business systems in detail and being able to put any event in the context of the business.  Which systems are affected?  Which business processes does this impact?  What is the relative priority?  This means the team needs to understand more than just vulnerability x and y and their generic severity rating.  They must understand your business context and be able to effectively relate events to this.  Tools can also help here in terms of event correlation and scale of the issue, this is where the new breed of ‘big data’ real time analysis and correlation tools such as Splunk, Palantir, or Security Analytics.

The second key skill / process is that of effective incident handling. This must again focus on your specific business and the priorities in case of an event, such as evidence gathering, escalation, keeping services running, regulatory requirements.  The event must be related to these factors with an understanding of it’s impacts to your business.  The more effective and streamlined this process can be, the lower the impact will be when the inevitable issues from virus infections to ful scale breaches occur.

The third key area is around business processes.  Any process that involves users of the companies system will likely be key attack vectors.  Technology can’t ever stop all attacks – this is why social engineering is still the number 1 way any attackers gain a foothold in most environments.  The security team must work with the business to perform threat assessment and modelling sessions to understand the attack vectors and work with the users to minimise or mitigate them.  Solid user training, awareness and engagement will also help here.

Attackers who want to get into your system for whatever reason from financial gain to hacktivism are constantly changing and improving their game.  We need to work hard to keep up and keep them out or at least contained.  A well formed and smoothly functioning SOC that is closely aligned to the business is a key part of any organisations defence.

K

Cloud Security Alliance Congress Orlando 2012 pt3 – Day 1 closing keynote

Next Generation Information Security – Jason Witty

 Some statistics and facts to set the scene;

–          93.6% is the approximate percentage of digital currency in the global market!

–          6.4% cash and gold available as a proportion of banking and commerce funds..

–          45% US adults own a smartphone – 21% of phone users did mobile banking last year.

–          62% of all adults globally use social media

–          Cloud ranking as #1 in top strategic technologies according to Gartner – 60% of the public cloud will serve software by 2018

–          2015 predicted as the year when online banking will become the norm..

–          Nielson global trust in advertising report for 2012;

–          28,800 respondents across 56 countries – Online recommendations from known people and review sites 80-90%+used and trusted, traditional media, falling below 50% used and trusted.

–          NSA were working on their own secure smartphone.  Plans scrapped and now they are working on how to effectively secure consumer smart phone devices.  Consumer mobile devices are everywhere!

Emerging innovations; cloud computing..

–          IDC forecasts $100bn will be spent per year by 2016, compared to $40bn now.

–          By 2016 SaaS will account for 60% of the public cloud

Cost savings often cited as reason for moving to the cloud; however other benefits like agility, access to more flexible compute power etc. often mean cloud migrations enable better IT for the business and thus you can do more.  So increased quality and profit result, but casts likely remain flat.

Trends in Cybercrime;

Insiders – can be difficult to detect, usually low tech relying on access privileges

Hacktivists – responsible for 58% of all data theft in 2011

Organised crime – Becoming frighteningly organised and business like

Nations states – Since 2010 nation state created malware has increased from 1 known to 8 known with 5 of those in 2012.   Nation states now creating dedicated cyber-warfare departments, often as official, dedicated parts of the military.

 

Organised Crime – Malware as a Service

Raw material (stolen data) – Distribution (BotNet) – Manufacturer (R&D, Code, Product Launch) – Sales and support (Delivery, Support (MSI package installation, helpdesk), Marketing – Customer (Affiliates, Auctions / Forums, BotNet Rental / Sales)

Crime meets mobile – Android – patchiy updates as vendor dependant, many pieces of malware, but play store security getting better.

Nation states becoming increasingly active in the world of malware creation..

 

So, Next generation Information Security;

–          Must be intelligence driven

  • Customer
  • Shareholder
  • Employee
  • Regulatory
  • Business line
  • Cyber threat

–          Must be comprehensive

  • Anticipate – emerging threats and risks
  • Enable –
  • Safeguard

–          Must have excellent human capabilities

–          Must be understandable – need to explain this and ensure the board understands the risks and issues – PwC survey – 42% of leadership think their organisation is a security front runner.  8% actually are.  70% leadership thing info sec working well – 88% of infosec think leadership their largest barrier to success..

–          We cannot do this alone: Strong intelligence partnership management

Pending cybercrime legislation;

–          White house has stressed importance of new cyber security legislation.

–          Complex laws take time to review and pass; technology environments change fast.

–          Various Federal laws currently cover cybercrime – Federal computer fraud and abuse act, economic espionage act etc.

–          Likely executive order in the near future with potentially large cybercrime implications.

While this is a very US centric view, many countries or regions are planning to enact further, more stringent laws / regulations that will impact the way we work.

 

Intelligence driven: the next phase in information security;

–          Conventional approaches to information security are struggling to meet increasingly complex and sophisticated threats

–          Intelligence driven security is proactive – a step beyond the reactive approach of the compliance-driven or incident response mind-sets

–          Building and nurturing multiple data sources. Developing an organisational ability to consolidate, analyse and report, communicate effectively and then act decisively benefits both operational / tactical security and strategy.

–          Establish automated analytics and establishing patterns of data movement in your organisation

I recommend you review – Getting ahead of advanced threats: Achieving intelligence-driven information security – RSA report, 2012.  This can be downloaded from here;

http://www.rsa.com/innovation/docs/11683_SBIC_Getting_Ahead_of_Advanced_Threats_SYN_UK_EN.pdf

K